diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 31c3f2012bf6..09d99c3a6401 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -63,6 +63,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
*Winlogbeat*
- Add support to Sysmon file delete events (event ID 23). {issue}18094[18094]
+- Improve ECS field mappings in Sysmon module. `related.hash`, `related.ip`, and `related.user` are now populated. {issue}18364[18364]
+- Improve ECS field mappings in Sysmon module. Hashes are now also populated to the corresponding `process.hash`, `process.pe.imphash`, `file.hash`, or `file.pe.imphash`. {issue}18364[18364]
+- Improve ECS field mappings in Sysmon module. `file.name`, `file.directory`, and `file.extension` are now populated. {issue}18364[18364]
+- Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364]
*Functionbeat*
diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
index 8eea4b8a558f..f7dac99a4e82 100644
--- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
+++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -332,10 +332,21 @@ var sysmon = (function () {
evt.Delete("user");
evt.Put("user.domain", userParts[0]);
evt.Put("user.name", userParts[1]);
+ evt.AppendTo("related.user", userParts[1]);
evt.Delete("winlog.event_data.User");
}
};
+ var setRuleName = function (evt) {
+ var ruleName = evt.Get("winlog.event_data.RuleName");
+ if (!ruleName || ruleName === "-") {
+ return;
+ }
+
+ evt.Put("rule.name", ruleName);
+ evt.Delete("winlog.event_data.RuleName");
+ };
+
var addNetworkDirection = function (evt) {
switch (evt.Get("winlog.event_data.Initiated")) {
case "true":
@@ -361,7 +372,39 @@ var sysmon = (function () {
evt.Delete("winlog.event_data.DestinationIsIpv6");
};
- var addHashes = function (evt, hashField) {
+ var setRelatedIP = function (evt) {
+ var sourceIP = evt.Get("source.ip");
+ if (sourceIP) {
+ evt.AppendTo("related.ip", sourceIP);
+ }
+
+ var destIP = evt.Get("destination.ip");
+ if (destIP) {
+ evt.AppendTo("related.ip", destIP);
+ }
+ };
+
+ var getHashPath = function (namespace, hashKey) {
+ if (hashKey === "imphash") {
+ return namespace + ".pe.imphash";
+ }
+
+ return namespace + ".hash." + hashKey;
+ };
+
+ var emptyHashRegex = /^0*$/;
+
+ var hashIsEmpty = function (value) {
+ if (!value) {
+ return true;
+ }
+
+ return emptyHashRegex.test(value);
+ }
+
+ // Adds hashes from the given hashField in the event to the 'hash' key
+ // in the specified namespace. It also adds all the hashes to 'related.hash'.
+ var addHashes = function (evt, namespace, hashField) {
var hashes = evt.Get(hashField);
evt.Delete(hashField);
hashes.split(",").forEach(function (hash) {
@@ -372,16 +415,31 @@ var sysmon = (function () {
var key = parts[0].toLowerCase();
var value = parts[1].toLowerCase();
+
+ if (hashIsEmpty(value)) {
+ return;
+ }
+
+ var path = getHashPath(namespace, key);
+
+ evt.Put(path, value);
+ evt.AppendTo("related.hash", value);
+
+ // TODO: remove in 8.0, see (https://github.com/elastic/beats/issues/18364).
evt.Put("hash." + key, value);
});
};
- var splitHashes = function (evt) {
- addHashes(evt, "winlog.event_data.Hashes");
+ var splitFileHashes = function (evt) {
+ addHashes(evt, "file", "winlog.event_data.Hashes");
};
- var splitHash = function (evt) {
- addHashes(evt, "winlog.event_data.Hash");
+ var splitFileHash = function (evt) {
+ addHashes(evt, "file", "winlog.event_data.Hash");
+ };
+
+ var splitProcessHashes = function (evt) {
+ addHashes(evt, "process", "winlog.event_data.Hashes");
};
var removeEmptyEventData = function (evt) {
@@ -477,6 +535,28 @@ var sysmon = (function () {
evt.Put("file.code_signature.valid", signatureStatus === "Valid");
};
+ var setAdditionalFileFieldsFromPath = function (evt) {
+ var filePath = evt.Get("file.path");
+ if (!filePath) {
+ return;
+ }
+
+ evt.Put("file.name", path.basename(filePath));
+ evt.Put("file.directory", path.dirname(filePath));
+
+ // path returns extensions with a preceding ., e.g.: .tmp, .png
+ // according to ecs the expected format is without it, so we need to remove it.
+ var ext = path.extname(filePath);
+ if (!ext) {
+ return;
+ }
+
+ if (ext.charAt(0) === ".") {
+ ext = ext.substr(1);
+ }
+ evt.Put("file.extension", ext);
+ };
+
// https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives
var commonRegistryHives = {
HKEY_CLASSES_ROOT: "HKCR",
@@ -606,10 +686,11 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(splitProcessArgs)
.Add(addUser)
- .Add(splitHashes)
+ .Add(splitProcessHashes)
.Add(setParentProcessNameUsingExe)
.Add(splitParentProcessArgs)
.Add(removeEmptyEventData)
@@ -652,6 +733,8 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -727,6 +810,8 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setRelatedIP)
.Add(setProcessNameUsingExe)
.Add(addUser)
.Add(addNetworkDirection)
@@ -792,6 +877,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -833,8 +919,10 @@ var sysmon = (function () {
],
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setAdditionalSignatureFields)
- .Add(splitHashes)
+ .Add(splitFileHashes)
.Add(removeEmptyEventData)
.Build();
@@ -888,9 +976,11 @@ var sysmon = (function () {
],
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setAdditionalSignatureFields)
.Add(setProcessNameUsingExe)
- .Add(splitHashes)
+ .Add(splitFileHashes)
.Add(removeEmptyEventData)
.Build();
@@ -921,6 +1011,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -956,6 +1047,8 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -998,6 +1091,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -1039,6 +1133,8 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -1070,6 +1166,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setRegistryFields)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
@@ -1102,6 +1199,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setRegistryFields)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
@@ -1134,6 +1232,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setRegistryFields)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
@@ -1176,8 +1275,10 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setProcessNameUsingExe)
- .Add(splitHash)
+ .Add(splitFileHash)
.Add(removeEmptyEventData)
.Build();
@@ -1235,6 +1336,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -1276,6 +1378,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -1294,6 +1397,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(addUser)
.Add(removeEmptyEventData)
.Build();
@@ -1316,6 +1420,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(addUser)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
@@ -1335,6 +1440,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(addUser)
.Add(removeEmptyEventData)
.Build();
@@ -1389,6 +1495,7 @@ var sysmon = (function () {
field: "dns.question.name",
target_field: "dns.question.registered_domain",
})
+ .Add(setRuleName)
.Add(translateDnsQueryStatus)
.Add(splitDnsQueryResults)
.Add(setProcessNameUsingExe)
@@ -1425,7 +1532,7 @@ var sysmon = (function () {
},
{
from: "winlog.event_data.TargetFilename",
- to: "file.name",
+ to: "file.path",
},
{
from: "winlog.event_data.Image",
@@ -1446,9 +1553,11 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(addUser)
- .Add(splitHashes)
+ .Add(splitProcessHashes)
.Add(setProcessNameUsingExe)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(removeEmptyEventData)
.Build();
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx
index 4258ea01dd7c..d3a5da134848 100644
Binary files a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx and b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx differ
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json
index 1e36d89016c6..31c7d0a7a26d 100644
--- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json
+++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json
@@ -1,4 +1,93 @@
[
+ {
+ "@timestamp": "2020-05-07T08:14:44.489Z",
+ "event": {
+ "code": 23,
+ "kind": "event",
+ "module": "sysmon",
+ "provider": "Microsoft-Windows-Sysmon"
+ },
+ "fields": {
+ "event": {
+ "category": [
+ "file"
+ ],
+ "type": [
+ "deletion"
+ ]
+ }
+ },
+ "file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001",
+ "extension": "exe",
+ "name": "test.test.exe",
+ "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe"
+ },
+ "hash": {
+ "imphash": "d90d8c7812aec8da0fa173afa1293ab2",
+ "md5": "199e1cf5b2250bd515ecccf4ca686301"
+ },
+ "host": {
+ "name": "vagrant-2012-r2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "process": {
+ "entity_id": "{42f11c3b-c36f-5eb3-2c07-290000000000}",
+ "executable": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe",
+ "hash": {
+ "md5": "199e1cf5b2250bd515ecccf4ca686301"
+ },
+ "name": "go.exe",
+ "pe": {
+ "imphash": "d90d8c7812aec8da0fa173afa1293ab2"
+ },
+ "pid": 2184
+ },
+ "related": {
+ "hash": [
+ "199e1cf5b2250bd515ecccf4ca686301",
+ "d90d8c7812aec8da0fa173afa1293ab2"
+ ],
+ "user": "vagrant"
+ },
+ "rule": {
+ "name": "-"
+ },
+ "sysmon": {
+ "file": {
+ "archived": true,
+ "is_executable": true
+ }
+ },
+ "user": {
+ "domain": "VAGRANT-2012-R2",
+ "name": "vagrant"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Microsoft-Windows-Sysmon/Operational",
+ "computer_name": "vagrant-2012-r2",
+ "event_id": 23,
+ "process": {
+ "pid": 664,
+ "thread": {
+ "id": 2360
+ }
+ },
+ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+ "provider_name": "Microsoft-Windows-Sysmon",
+ "record_id": 612,
+ "user": {
+ "domain": "NT AUTHORITY",
+ "identifier": "S-1-5-18",
+ "name": "SYSTEM",
+ "type": "Well Known Group"
+ },
+ "version": 5
+ }
+ },
{
"@timestamp": "2020-05-07T07:27:18.722Z",
"event": {
@@ -18,7 +107,10 @@
}
},
"file": {
- "name": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat"
+ "directory": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local",
+ "extension": "dat",
+ "name": "lastalive0.dat",
+ "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat"
},
"hash": {
"sha1": "115106f5b338c87ae6836d50dd890de3da296367"
@@ -32,9 +124,16 @@
"process": {
"entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}",
"executable": "C:\\Windows\\System32\\svchost.exe",
+ "hash": {
+ "sha1": "115106f5b338c87ae6836d50dd890de3da296367"
+ },
"name": "svchost.exe",
"pid": 776
},
+ "related": {
+ "hash": "115106f5b338c87ae6836d50dd890de3da296367",
+ "user": "LOCAL SERVICE"
+ },
"rule": {
"name": "-"
},
@@ -70,5 +169,86 @@
},
"version": 5
}
+ },
+ {
+ "@timestamp": "2020-05-12T06:48:27.084Z",
+ "event": {
+ "code": 23,
+ "kind": "event",
+ "module": "sysmon",
+ "provider": "Microsoft-Windows-Sysmon"
+ },
+ "fields": {
+ "event": {
+ "category": [
+ "file"
+ ],
+ "type": [
+ "deletion"
+ ]
+ }
+ },
+ "file": {
+ "directory": "C:\\Windows\\System32\\LogFiles\\Scm",
+ "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d",
+ "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d"
+ },
+ "hash": {
+ "md5": "5a9bddf83be530b481f0fd24db28a6ff"
+ },
+ "host": {
+ "name": "vagrant-2012-r2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "process": {
+ "entity_id": "{42f11c3b-4664-5eba-91ae-000000000000}",
+ "executable": "C:\\Windows\\system32\\svchost.exe",
+ "hash": {
+ "md5": "5a9bddf83be530b481f0fd24db28a6ff"
+ },
+ "name": "svchost.exe",
+ "pid": 820
+ },
+ "related": {
+ "hash": "5a9bddf83be530b481f0fd24db28a6ff",
+ "user": "SYSTEM"
+ },
+ "rule": {
+ "name": "-"
+ },
+ "sysmon": {
+ "file": {
+ "archived": true,
+ "is_executable": false
+ }
+ },
+ "user": {
+ "domain": "NT AUTHORITY",
+ "name": "SYSTEM"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Microsoft-Windows-Sysmon/Operational",
+ "computer_name": "vagrant-2012-r2",
+ "event_id": 23,
+ "process": {
+ "pid": 1188,
+ "thread": {
+ "id": 1600
+ }
+ },
+ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+ "provider_name": "Microsoft-Windows-Sysmon",
+ "record_id": 2243,
+ "user": {
+ "domain": "NT AUTHORITY",
+ "identifier": "S-1-5-18",
+ "name": "SYSTEM",
+ "type": "Well Known Group"
+ },
+ "version": 5
+ }
}
]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json
index 3608a7889edb..cddd6776a82a 100644
--- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json
+++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json
@@ -119,6 +119,9 @@
"command_line": "C:\\Windows\\Sysmon.exe",
"entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}",
"executable": "C:\\Windows\\Sysmon.exe",
+ "hash": {
+ "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e"
+ },
"name": "Sysmon.exe",
"parent": {
"args": [
@@ -133,6 +136,10 @@
"pid": 4860,
"working_directory": "C:\\Windows\\system32\\"
},
+ "related": {
+ "hash": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e",
+ "user": "SYSTEM"
+ },
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM"
@@ -202,6 +209,9 @@
"command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding",
"entity_id": "{42f11c3b-ce01-5c8f-0000-00102c412a00}",
"executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe",
+ "hash": {
+ "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678"
+ },
"name": "unsecapp.exe",
"parent": {
"args": [
@@ -218,6 +228,10 @@
"pid": 5028,
"working_directory": "C:\\Windows\\system32\\"
},
+ "related": {
+ "hash": "6df8163a6320b80b60733f9d62e2f39b4b16b678",
+ "user": "SYSTEM"
+ },
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM"
@@ -387,6 +401,9 @@
"command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
"entity_id": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}",
"executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+ "hash": {
+ "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21"
+ },
"name": "WmiPrvSE.exe",
"parent": {
"args": [
@@ -403,6 +420,10 @@
"pid": 4508,
"working_directory": "C:\\Windows\\system32\\"
},
+ "related": {
+ "hash": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21",
+ "user": "SYSTEM"
+ },
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM"
@@ -483,6 +504,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "a00:20f:0:0:18a2:6e00:e0:ffff",
+ "a00:203:3000:3000:3000:3000:3000:3300"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"ip": "a00:20f:0:0:18a2:6e00:e0:ffff",
"port": 62141
@@ -557,6 +585,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "10.0.2.3"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -632,6 +667,13 @@
"name": "chrome.exe",
"pid": 1600
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "40.77.226.250"
+ ],
+ "user": "vagrant"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -707,6 +749,13 @@
"name": "chrome.exe",
"pid": 1600
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "40.77.226.250"
+ ],
+ "user": "vagrant"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -782,6 +831,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "10.0.2.255"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -861,6 +917,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.255",
+ "10.0.2.15"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"ip": "10.0.2.255",
"port": 137
@@ -938,6 +1001,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "fe80:0:0:0:e488:b85c:5262:ff86",
+ "ff02:0:0:0:0:0:1:3"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "fe80:0:0:0:e488:b85c:5262:ff86",
@@ -1013,6 +1083,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "a00:20f:0:0:18a2:6e00:e0:ffff",
+ "e000:fc:4300:6800:7200:6f00:6d00:6500"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"ip": "a00:20f:0:0:18a2:6e00:e0:ffff",
"port": 55542
@@ -1087,6 +1164,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "169.254.180.25",
+ "169.254.255.255"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"ip": "169.254.180.25",
"port": 137
@@ -1164,6 +1248,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "169.254.255.255",
+ "169.254.180.25"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"ip": "169.254.255.255",
"port": 137
@@ -1241,6 +1332,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "fe80:0:0:0:616f:32fa:b04f:b419",
+ "ff02:0:0:0:0:0:1:3"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"ip": "fe80:0:0:0:616f:32fa:b04f:b419",
"port": 55717
@@ -1315,6 +1413,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "a9fe:b419:0:0:f880:2301:e0:ffff",
+ "e000:fc:0:0:0:0:0:0"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"ip": "a9fe:b419:0:0:f880:2301:e0:ffff",
"port": 55717
@@ -1389,6 +1494,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "40.77.226.250"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -1467,6 +1579,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "10.0.2.3"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -1545,6 +1664,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "169.254.255.255"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -1623,6 +1749,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "169.254.180.25"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -1777,6 +1910,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data",
+ "extension": "tmp",
+ "name": "fe823684-c940-49f2-a940-14b02cbafba9.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp"
},
"host": {
@@ -1837,6 +1973,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data",
+ "extension": "tmp",
+ "name": "162d4140-cfab-4d05-9c92-bca60515a622.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp"
},
"host": {
@@ -1897,6 +2036,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default",
+ "extension": "tmp",
+ "name": "1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp"
},
"host": {
@@ -1957,6 +2099,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default",
+ "extension": "tmp",
+ "name": "37ed32e9-3c5f-4663-8457-c70743e9456d.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp"
},
"host": {
@@ -2067,6 +2212,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def",
+ "extension": "tmp",
+ "name": "ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp"
},
"host": {
@@ -2127,6 +2275,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def",
+ "extension": "tmp",
+ "name": "ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp"
},
"host": {